From f57d6d82e598c4618600c84cfe330de425ba9dbd Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 15:03:49 +0000 Subject: [PATCH 01/28] updates --- .github/workflows/scripts/builder-fetch.sh | 89 ++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 .github/workflows/scripts/builder-fetch.sh diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh new file mode 100644 index 0000000000..f0488c2eb7 --- /dev/null +++ b/.github/workflows/scripts/builder-fetch.sh @@ -0,0 +1,89 @@ +#!/usr/bin/env bash +BUILDER_REPOSITORY="slsa-framework/example-package" +# Caller sets the following: +#BUILDER_REF="v13.0.10" or "6a1e642a8689671a2cec9287149eb50bd9fe5ef6" +#BUILDER_REF="6a1e642a8689671a2cec9287149eb50bd9fe5ef6" # v11.0.14 +#BUILDER_BINARY="binary-linux-amd64" + +# Verifier info. +#VERIFIER_REPOSITORY="slsa-framework/slsa-verifier" +VERIFIER_REPOSITORY="slsa-framework/example-package" +VERIFIER_RELEASE="v13.0.10" +VERIFIER_BINARY="binary-linux-amd64" +VERIFIER_BINARY_SHA256="89fbcba9aed67d5146ea99946c7e4e5a80e3767871f0e3ffcd0b582134efd010" + +if [[ -z "$BUILDER_REF" ]]; then + echo "empty hash" + exit 2 +fi + +if [[ "$BUILDER_REF" = "$(echo -n "$BUILDER_REF" | grep -P '^[a-f\d]{40}$')" ]]; then + echo "it's a hash: $BUILDER_REF" + echo "resolving..." + + RELEASE_TAG="" + + # List the releases and find the corepsonding hash. + RELEASE_LIST=$(./gh/gh_2.9.0_linux_amd64/bin/gh release -R "$BUILDER_REPOSITORY" -L 50 list) + while read line; do + TAG=$(echo "$line" | cut -f1) + BRANCH=$(./gh/gh_2.9.0_linux_amd64/bin/gh release -R "$BUILDER_REPOSITORY" view "$TAG" --json targetCommitish --jq '.targetCommitish') + if [[ "$BRANCH" != "main" ]]; then + continue + fi + COMMIT=$(./gh/gh_2.9.0_linux_amd64/bin/gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$TAG" | jq -r '.object.sha') + if [[ "$COMMIT" == "$BUILDER_REF" ]]; then + RELEASE_TAG="$TAG" + echo "Found tag $BUILDER_REF match at tag $TAG and commit $COMMIT" + break + fi + done <<< "$RELEASE_LIST" + + if [[ -z "$RELEASE_TAG" ]]; then + echo "Tag not found for $BUILDER_REF" + exit 3 + fi + + BUILDER_REF="$RELEASE_TAG" +fi + +if [[ "$BUILDER_REF" != "$(echo -n "$BUILDER_REF" | grep -P '^v\d*(\.([\d]{1,})){0,2}$')" ]]; then + echo "invalid ref: $BUILDER_REF" + exit 0 +fi + +echo "builder version: $BUILDER_REF" + +# Fetch the release binary and provenance. +./gh/gh_2.9.0_linux_amd64/bin/gh release -R "$BUILDER_REPOSITORY" download "$BUILDER_REF" -p "$BUILDER_BINARY*" +# Test +mv $BUILDER_BINARY builder-binary +mv $BUILDER_BINARY.intoto.jsonl builder-binary.intoto.jsonl + +# Fetch the verifier at the right hash. +./gh/gh_2.9.0_linux_amd64/bin/gh release -R "$VERIFIER_REPOSITORY" download "$VERIFIER_RELEASE" -p "$VERIFIER_BINARY" +COMPUTED_HASH=$(sha256sum "$VERIFIER_BINARY" | awk '{print $1}') +echo "verifier hash computed is $COMPUTED_HASH" +echo "$VERIFIER_BINARY_SHA256 $VERIFIER_BINARY" | sha256sum --strict --check --status || exit 4 +echo "verifier hash verification has passed" +# Test +#mv $VERIFIER_BINARY verifier-binary + + +# Verify the provenance of the builder. +#./verifier-binary --branch "$BRANCH" --versioned-tag "$BUILDER_REF" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$BUILDER_REPOSITORY" +./verifier-binary --branch main --tag "$BUILDER_REF" --artifact-path builder-binary --provenance builder-binary.intoto.jsonl --source "github.com/$BUILDER_REPOSITORY" || exit 5 +BUILDER_COMMIT=$(./gh/gh_2.9.0_linux_amd64/bin/gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$BUILDER_REF" | jq -r '.object.sha') +PROVENANCE_COMMIT=$(cat builder-binary.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.predicate.materials[0].digest.sha1') +if [[ "$BUILDER_COMMIT" != "$PROVENANCE_COMMIT" ]]; then + echo "builder commit sha $BUILDER_COMMIT != provenance material $PROVENANCE_COMMIT" + exit 5 +fi + +echo "builder provenance verified at tag $BUILDER_REF and commit $BUILDER_COMMIT" +# +# 1. List the releases. +#./gh/gh_2.9.0_linux_amd64/bin/gh release list -R $REPO + +# 2. Find the right release +#./gh/gh_2.9.0_linux_amd64/bin/gh api -H "Accept: application/vnd.github.v3+json" /repos/$REPO/releases/tags/v15.0.11 | jq -r '.target_commitish' \ No newline at end of file From 42d0f4af2667812b028d5143169b968287c1c12b Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 15:34:57 +0000 Subject: [PATCH 02/28] updates --- .github/workflows/builder_go_slsa3.yml | 61 +++++++++++++-------- .github/workflows/scripts/builder-fetch.sh | 63 +++++++++++----------- 2 files changed, 70 insertions(+), 54 deletions(-) mode change 100644 => 100755 .github/workflows/scripts/builder-fetch.sh diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index e126479e88..cd9a420b54 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -22,6 +22,12 @@ env: GENERATED_BINARY_NAME: compiled-binary # Builder BUILDER_BINARY: builder + BUILDER_RELEASE_BINARY: builder-linux-amd64 + # Verifier + VERIFIER_REPOSITORY: laurentsimon/slsa-verifier + VERIFIER_RELEASE_BINARY: slsa-verify-linux-amd64 + VERIFIER_RELEASE_BINARY_SHA256: 89fbcba9aed67d5146ea99946c7e4e5a80e3767871f0e3ffcd0b582134efd010 + VERIFIER_RELEASE: v13.0.10 # Builder location BUILDER_DIR: builders @@ -34,11 +40,11 @@ on: workflow_call: inputs: go-version: - description: "The go version to use" + description: "The go version to use." required: true type: string upload-assets: - description: "Whether to upload assets to a GitHub release or not" + description: "Whether to upload assets to a GitHub release or not." required: false type: boolean default: true @@ -48,12 +54,17 @@ on: type: string default: ".slsa-goreleaser.yml" evaluated-envs: - description: "Evaluated env variables to pass to the builder" + description: "Evaluated env variables to pass to the builder." required: false type: string + compile-builder: + description: "Build the builder from source. This increases build time by ~2mn." + required: false + type: boolean + default: false outputs: go-binary-name: - description: "The name of the generated binary uploaded to the artifact registry" + description: "The name of the generated binary uploaded to the artifact registry." value: ${{ jobs.build-dry.outputs.go-binary-name }} jobs: @@ -130,10 +141,7 @@ jobs: run: | set -euo pipefail - cd "$BUILDER_DIR"/go/ - - #TODO(reproducible) - go mod vendor + # TODO(hermeticity) OS-level. # - name: Disable hermeticity @@ -145,19 +153,34 @@ jobs: shell: bash id: builder-gen env: - BUILDER_BINARY: "${{ env.BUILDER_BINARY }}" + COMPILE_BUILDER: "${{ inputs.compiler-builder }}" + BUILDER_REF: "${{ needs.detect-env.outputs.builder_ref }}" run: | set -euo pipefail - cd "$BUILDER_DIR"/go/ + if [[ "$COMPILE_BUILDER" = true ]]; then + echo "Building the builder" - # https://go.dev/ref/mod#build-commands. - go build -mod=vendor -o "$BUILDER_BINARY" - BUILDER_DIGEST=$(sha256sum "$BUILDER_BINARY" | awk '{print $1}') - echo "::set-output name=go-builder-sha256::$BUILDER_DIGEST" - echo "hash of $BUILDER_BINARY is $BUILDER_DIGEST" + cd "$BUILDER_DIR"/go/ - mv "$BUILDER_BINARY" ../../"$BUILDER_BINARY" + #TODO(reproducible) + go mod vendor + + # https://go.dev/ref/mod#build-commands. + go build -mod=vendor -o "$BUILDER_BINARY" + BUILDER_DIGEST=$(sha256sum "$BUILDER_BINARY" | awk '{print $1}') + echo "::set-output name=go-builder-sha256::$BUILDER_DIGEST" + echo "hash of $BUILDER_BINARY is $BUILDER_DIGEST" + + mv "$BUILDER_BINARY" ../../"$BUILDER_BINARY" + else + echo "Fetching the builder with ref: $BUILDER_REF" + + .github/workflows/scripts/builder-fetch.sh + + mv "$BUILDER_RELEASE_BINARY" ../../"$BUILDER_BINARY" + fi + - name: Upload the builder uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 @@ -202,7 +225,6 @@ jobs: - name: Verify builder env: BUILDER_HASH: "${{ needs.builder.outputs.go-builder-sha256 }}" - BUILDER_BINARY: "${{ env.BUILDER_BINARY }}" run: | set -euo pipefail @@ -221,7 +243,6 @@ jobs: id: build-dry shell: bash env: - BUILDER_BINARY: "${{ env.BUILDER_BINARY }}" CONFIG_FILE: "${{ inputs.config-file }}" UNTRUSTED_ENVS: "${{ inputs.evaluated-envs }}" run: | @@ -264,7 +285,6 @@ jobs: - name: Verify builder env: BUILDER_HASH: "${{ needs.builder.outputs.go-builder-sha256 }}" - BUILDER_BINARY: "${{ env.BUILDER_BINARY }}" run: | set -euo pipefail @@ -300,7 +320,6 @@ jobs: id: build-gen shell: bash env: - BUILDER_BINARY: "${{ env.BUILDER_BINARY }}" CONFIG_FILE: "${{ inputs.config-file }}" UNTRUSTED_ENVS: "${{ inputs.evaluated-envs }}" run: | @@ -398,7 +417,6 @@ jobs: - name: Verify builder env: BUILDER_HASH: "${{ needs.builder.outputs.go-builder-sha256 }}" - BUILDER_BINARY: "${{ env.BUILDER_BINARY }}" run: | set -euo pipefail @@ -422,7 +440,6 @@ jobs: UNTRUSTED_COMMAND: "${{ needs.build-dry.outputs.go-command }}" UNTRUSTED_ENV: "${{ needs.build-dry.outputs.go-env }}" UNTRUSTED_WORKING_DIR: "${{ needs.build-dry.outputs.go-working-dir }}" - BUILDER_BINARY: "${{ env.BUILDER_BINARY }}" GITHUB_CONTEXT: "${{ toJSON(github) }}" run: | set -euo pipefail diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh old mode 100644 new mode 100755 index f0488c2eb7..fd431de03a --- a/.github/workflows/scripts/builder-fetch.sh +++ b/.github/workflows/scripts/builder-fetch.sh @@ -1,16 +1,16 @@ #!/usr/bin/env bash -BUILDER_REPOSITORY="slsa-framework/example-package" # Caller sets the following: +#BUILDER_REPOSITORY="slsa-framework/example-package" #BUILDER_REF="v13.0.10" or "6a1e642a8689671a2cec9287149eb50bd9fe5ef6" #BUILDER_REF="6a1e642a8689671a2cec9287149eb50bd9fe5ef6" # v11.0.14 -#BUILDER_BINARY="binary-linux-amd64" +#BUILDER_RELEASE_BINARY="builder-linux-amd64" # Verifier info. #VERIFIER_REPOSITORY="slsa-framework/slsa-verifier" -VERIFIER_REPOSITORY="slsa-framework/example-package" -VERIFIER_RELEASE="v13.0.10" -VERIFIER_BINARY="binary-linux-amd64" -VERIFIER_BINARY_SHA256="89fbcba9aed67d5146ea99946c7e4e5a80e3767871f0e3ffcd0b582134efd010" +#VERIFIER_REPOSITORY="slsa-framework/example-package" +#VERIFIER_RELEASE="v13.0.10" +#VERIFIER_RELEASE_BINARY="binary-linux-amd64" +#VERIFIER_RELEASE_BINARY_SHA256="89fbcba9aed67d5146ea99946c7e4e5a80e3767871f0e3ffcd0b582134efd010" if [[ -z "$BUILDER_REF" ]]; then echo "empty hash" @@ -18,20 +18,20 @@ if [[ -z "$BUILDER_REF" ]]; then fi if [[ "$BUILDER_REF" = "$(echo -n "$BUILDER_REF" | grep -P '^[a-f\d]{40}$')" ]]; then - echo "it's a hash: $BUILDER_REF" - echo "resolving..." + echo "Builder referenced by hash: $BUILDER_REF" + echo "Resolving..." RELEASE_TAG="" # List the releases and find the corepsonding hash. - RELEASE_LIST=$(./gh/gh_2.9.0_linux_amd64/bin/gh release -R "$BUILDER_REPOSITORY" -L 50 list) + RELEASE_LIST=$(gh release -R "$BUILDER_REPOSITORY" -L 50 list) while read line; do TAG=$(echo "$line" | cut -f1) - BRANCH=$(./gh/gh_2.9.0_linux_amd64/bin/gh release -R "$BUILDER_REPOSITORY" view "$TAG" --json targetCommitish --jq '.targetCommitish') + BRANCH=$(gh release -R "$BUILDER_REPOSITORY" view "$TAG" --json targetCommitish --jq '.targetCommitish') if [[ "$BRANCH" != "main" ]]; then continue fi - COMMIT=$(./gh/gh_2.9.0_linux_amd64/bin/gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$TAG" | jq -r '.object.sha') + COMMIT=$(gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$TAG" | jq -r '.object.sha') if [[ "$COMMIT" == "$BUILDER_REF" ]]; then RELEASE_TAG="$TAG" echo "Found tag $BUILDER_REF match at tag $TAG and commit $COMMIT" @@ -48,42 +48,41 @@ if [[ "$BUILDER_REF" = "$(echo -n "$BUILDER_REF" | grep -P '^[a-f\d]{40}$')" ]]; fi if [[ "$BUILDER_REF" != "$(echo -n "$BUILDER_REF" | grep -P '^v\d*(\.([\d]{1,})){0,2}$')" ]]; then - echo "invalid ref: $BUILDER_REF" + echo "Invalid ref: $BUILDER_REF" exit 0 fi -echo "builder version: $BUILDER_REF" +echo "Builder version: $BUILDER_REF" # Fetch the release binary and provenance. -./gh/gh_2.9.0_linux_amd64/bin/gh release -R "$BUILDER_REPOSITORY" download "$BUILDER_REF" -p "$BUILDER_BINARY*" +gh release -R "$BUILDER_REPOSITORY" download "$BUILDER_REF" -p "$BUILDER_RELEASE_BINARY*" # Test -mv $BUILDER_BINARY builder-binary -mv $BUILDER_BINARY.intoto.jsonl builder-binary.intoto.jsonl +#mv $BUILDER_RELEASE_BINARY builder-binary +#mv $BUILDER_RELEASE_BINARY.intoto.jsonl builder-binary.intoto.jsonl # Fetch the verifier at the right hash. -./gh/gh_2.9.0_linux_amd64/bin/gh release -R "$VERIFIER_REPOSITORY" download "$VERIFIER_RELEASE" -p "$VERIFIER_BINARY" -COMPUTED_HASH=$(sha256sum "$VERIFIER_BINARY" | awk '{print $1}') +gh release -R "$VERIFIER_REPOSITORY" download "$VERIFIER_RELEASE" -p "$VERIFIER_RELEASE_BINARY" +COMPUTED_HASH=$(sha256sum "$VERIFIER_RELEASE_BINARY" | awk '{print $1}') echo "verifier hash computed is $COMPUTED_HASH" -echo "$VERIFIER_BINARY_SHA256 $VERIFIER_BINARY" | sha256sum --strict --check --status || exit 4 +echo "$VERIFIER_RELEASE_BINARY_SHA256 $VERIFIER_RELEASE_BINARY" | sha256sum --strict --check --status || exit 4 echo "verifier hash verification has passed" # Test -#mv $VERIFIER_BINARY verifier-binary +#mv $VERIFIER_RELEASE_BINARY verifier-binary # Verify the provenance of the builder. -#./verifier-binary --branch "$BRANCH" --versioned-tag "$BUILDER_REF" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$BUILDER_REPOSITORY" -./verifier-binary --branch main --tag "$BUILDER_REF" --artifact-path builder-binary --provenance builder-binary.intoto.jsonl --source "github.com/$BUILDER_REPOSITORY" || exit 5 -BUILDER_COMMIT=$(./gh/gh_2.9.0_linux_amd64/bin/gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$BUILDER_REF" | jq -r '.object.sha') -PROVENANCE_COMMIT=$(cat builder-binary.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.predicate.materials[0].digest.sha1') +./"$VERIFIER_RELEASE_BINARY" --branch "main" \ + --tag "$BUILDER_REF" \ + --artifact-path "$BUILDER_RELEASE_BINARY" \ + --provenance "$BUILDER_RELEASE_BINARY.intoto.jsonl" \ + --source "github.com/$BUILDER_REPOSITORY" + +#./verifier-binary --branch main --tag "$BUILDER_REF" --artifact-path builder-binary --provenance builder-binary.intoto.jsonl --source "github.com/$BUILDER_REPOSITORY" || exit 5 +BUILDER_COMMIT=$(gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$BUILDER_REF" | jq -r '.object.sha') +PROVENANCE_COMMIT=$(cat "$BUILDER_RELEASE_BINARY.intoto.jsonl" | jq -r '.payload' | base64 -d | jq -r '.predicate.materials[0].digest.sha1') if [[ "$BUILDER_COMMIT" != "$PROVENANCE_COMMIT" ]]; then - echo "builder commit sha $BUILDER_COMMIT != provenance material $PROVENANCE_COMMIT" + echo "Builder commit sha $BUILDER_COMMIT != provenance material $PROVENANCE_COMMIT" exit 5 fi -echo "builder provenance verified at tag $BUILDER_REF and commit $BUILDER_COMMIT" -# -# 1. List the releases. -#./gh/gh_2.9.0_linux_amd64/bin/gh release list -R $REPO - -# 2. Find the right release -#./gh/gh_2.9.0_linux_amd64/bin/gh api -H "Accept: application/vnd.github.v3+json" /repos/$REPO/releases/tags/v15.0.11 | jq -r '.target_commitish' \ No newline at end of file +echo "Builder provenance verified at tag $BUILDER_REF and commit $BUILDER_COMMIT" From 3f827263b14db1a33667fdf6bd7378918f4c9691 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 15:47:11 +0000 Subject: [PATCH 03/28] updates --- .../workflows/configs-go/config-release.yml | 14 +++++++++++ .github/workflows/release.yml | 23 +++++++++++++++++++ .github/workflows/scripts/builder-fetch.sh | 1 + 3 files changed, 38 insertions(+) create mode 100644 .github/workflows/configs-go/config-release.yml create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/configs-go/config-release.yml b/.github/workflows/configs-go/config-release.yml new file mode 100644 index 0000000000..d0901cee19 --- /dev/null +++ b/.github/workflows/configs-go/config-release.yml @@ -0,0 +1,14 @@ +# Used for pre-submit tests. +version: 1 +env: + - GO111MODULE=on + - CGO_ENABLED=0 + +flags: + - -trimpath + - -tags=netgo + +goos: linux +goarch: amd64 +dir: builders/go/ +binary: builder-{{ .Os }}-{{ .Arch }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000000..cdaab5af26 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,23 @@ +name: Go Realeaser + +on: + push: + tags: + - "*" # triggers only if push new tag version, like `0.8.4` or else + +permissions: read-all + +env: + GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }} + +jobs: + # Go builder. + go-builder: + permissions: + id-token: write # For signing. + contents: write # For asset uploads. + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@main + with: + go-version: 1.18 + config-file: .github/configs-go/config-release.yml + compile-builder: true \ No newline at end of file diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh index fd431de03a..dfc66c33d5 100755 --- a/.github/workflows/scripts/builder-fetch.sh +++ b/.github/workflows/scripts/builder-fetch.sh @@ -85,4 +85,5 @@ if [[ "$BUILDER_COMMIT" != "$PROVENANCE_COMMIT" ]]; then exit 5 fi +#TODO: verify the command echo "Builder provenance verified at tag $BUILDER_REF and commit $BUILDER_COMMIT" From 975bcae34312363047ef2c798482978895ea8476 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 15:50:04 +0000 Subject: [PATCH 04/28] updates --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cdaab5af26..3e4dd87b9b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: Go Realeaser +name: Builders realeaser on: push: @@ -16,7 +16,7 @@ jobs: permissions: id-token: write # For signing. contents: write # For asset uploads. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@main + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@feat/fastbuilds with: go-version: 1.18 config-file: .github/configs-go/config-release.yml From 8d0e93f680940273add7288ce93c6d6cbeced0fb Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 15:53:19 +0000 Subject: [PATCH 05/28] updates --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3e4dd87b9b..5ab12030b8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: permissions: id-token: write # For signing. contents: write # For asset uploads. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@feat/fastbuilds + uses: laurentsimon/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@feat/fastbuilds with: go-version: 1.18 config-file: .github/configs-go/config-release.yml From 7310c00375bf21bc413b3fa479811fd57ac3f1db Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 15:57:51 +0000 Subject: [PATCH 06/28] updates --- .github/workflows/builder_go_slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index cd9a420b54..75d8479e3c 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -153,7 +153,7 @@ jobs: shell: bash id: builder-gen env: - COMPILE_BUILDER: "${{ inputs.compiler-builder }}" + COMPILE_BUILDER: "${{ inputs.compile-builder }}" BUILDER_REF: "${{ needs.detect-env.outputs.builder_ref }}" run: | set -euo pipefail From 7de260636d9ab8580ec9ff0d871dabc94225d554 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 16:32:09 +0000 Subject: [PATCH 07/28] updates --- .github/workflows/builder_go_slsa3.yml | 13 ------------- .github/workflows/release.yml | 2 +- 2 files changed, 1 insertion(+), 14 deletions(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 75d8479e3c..27149f2cef 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -136,19 +136,6 @@ jobs: with: go-version: 1.18 - - name: Download dependencies - shell: bash - run: | - set -euo pipefail - - - - # TODO(hermeticity) OS-level. - # - name: Disable hermeticity - # uses: slsa/hermeticity@xxx - # with: - # to-state: enabled - - name: Build builder shell: bash id: builder-gen diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5ab12030b8..2d57ef6d7e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,5 +19,5 @@ jobs: uses: laurentsimon/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@feat/fastbuilds with: go-version: 1.18 - config-file: .github/configs-go/config-release.yml + config-file: .github/workflows/configs-go/config-release.yml compile-builder: true \ No newline at end of file From c3682d58c19c6fc60d3ded8e84b8cf3f52d6efa3 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 18:33:28 +0000 Subject: [PATCH 08/28] updates --- .github/workflows/builder_go_slsa3.yml | 2 +- .../workflows/configs-go/config-release.yml | 2 +- .github/workflows/scripts/builder-fetch.sh | 47 ++++++++++--------- 3 files changed, 26 insertions(+), 25 deletions(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 27149f2cef..925aa2c232 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -22,7 +22,7 @@ env: GENERATED_BINARY_NAME: compiled-binary # Builder BUILDER_BINARY: builder - BUILDER_RELEASE_BINARY: builder-linux-amd64 + BUILDER_RELEASE_BINARY: slsa-builder-go-linux-amd64 # Verifier VERIFIER_REPOSITORY: laurentsimon/slsa-verifier VERIFIER_RELEASE_BINARY: slsa-verify-linux-amd64 diff --git a/.github/workflows/configs-go/config-release.yml b/.github/workflows/configs-go/config-release.yml index d0901cee19..f0473af18f 100644 --- a/.github/workflows/configs-go/config-release.yml +++ b/.github/workflows/configs-go/config-release.yml @@ -11,4 +11,4 @@ flags: goos: linux goarch: amd64 dir: builders/go/ -binary: builder-{{ .Os }}-{{ .Arch }} +binary: slsa-builder-go-{{ .Os }}-{{ .Arch }} diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh index dfc66c33d5..c4adf167c7 100755 --- a/.github/workflows/scripts/builder-fetch.sh +++ b/.github/workflows/scripts/builder-fetch.sh @@ -1,24 +1,25 @@ #!/usr/bin/env bash # Caller sets the following: -#BUILDER_REPOSITORY="slsa-framework/example-package" -#BUILDER_REF="v13.0.10" or "6a1e642a8689671a2cec9287149eb50bd9fe5ef6" -#BUILDER_REF="6a1e642a8689671a2cec9287149eb50bd9fe5ef6" # v11.0.14 +#BUILDER_REPOSITORY="slsa-framework/slsa-github-generator" +#BUILDER_TAG="v13.0.10" or "6a1e642a8689671a2cec9287149eb50bd9fe5ef6" #BUILDER_RELEASE_BINARY="builder-linux-amd64" - -# Verifier info. #VERIFIER_REPOSITORY="slsa-framework/slsa-verifier" -#VERIFIER_REPOSITORY="slsa-framework/example-package" #VERIFIER_RELEASE="v13.0.10" -#VERIFIER_RELEASE_BINARY="binary-linux-amd64" +#VERIFIER_RELEASE_BINARY="slsa-verifier-linux-amd64" #VERIFIER_RELEASE_BINARY_SHA256="89fbcba9aed67d5146ea99946c7e4e5a80e3767871f0e3ffcd0b582134efd010" -if [[ -z "$BUILDER_REF" ]]; then - echo "empty hash" +PREFIX="refs/tags/" + +# Extract version. +if [[ "$BUILDER_REF" =~ "^$PREFIX*" ]]; then + echo "Invalid ref: $BUILDER_REF" exit 2 fi -if [[ "$BUILDER_REF" = "$(echo -n "$BUILDER_REF" | grep -P '^[a-f\d]{40}$')" ]]; then - echo "Builder referenced by hash: $BUILDER_REF" +BUILDER_TAG="${BUILDER_REF#"$PREFIX"}" + +if [[ "$BUILDER_TAG" = "$(echo -n "$BUILDER_TAG" | grep -P '^[a-f\d]{40}$')" ]]; then + echo "Builder referenced by hash: $BUILDER_TAG" echo "Resolving..." RELEASE_TAG="" @@ -32,30 +33,30 @@ if [[ "$BUILDER_REF" = "$(echo -n "$BUILDER_REF" | grep -P '^[a-f\d]{40}$')" ]]; continue fi COMMIT=$(gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$TAG" | jq -r '.object.sha') - if [[ "$COMMIT" == "$BUILDER_REF" ]]; then + if [[ "$COMMIT" == "$BUILDER_TAG" ]]; then RELEASE_TAG="$TAG" - echo "Found tag $BUILDER_REF match at tag $TAG and commit $COMMIT" + echo "Found tag $BUILDER_TAG match at tag $TAG and commit $COMMIT" break fi done <<< "$RELEASE_LIST" if [[ -z "$RELEASE_TAG" ]]; then - echo "Tag not found for $BUILDER_REF" + echo "Tag not found for $BUILDER_TAG" exit 3 fi - BUILDER_REF="$RELEASE_TAG" + BUILDER_TAG="$RELEASE_TAG" fi -if [[ "$BUILDER_REF" != "$(echo -n "$BUILDER_REF" | grep -P '^v\d*(\.([\d]{1,})){0,2}$')" ]]; then - echo "Invalid ref: $BUILDER_REF" +if [[ "$BUILDER_TAG" != "$(echo -n "$BUILDER_TAG" | grep -P '^v\d*(\.([\d]{1,})){0,2}$')" ]]; then + echo "Invalid ref: $BUILDER_TAG" exit 0 fi -echo "Builder version: $BUILDER_REF" +echo "Builder version: $BUILDER_TAG" # Fetch the release binary and provenance. -gh release -R "$BUILDER_REPOSITORY" download "$BUILDER_REF" -p "$BUILDER_RELEASE_BINARY*" +gh release -R "$BUILDER_REPOSITORY" download "$BUILDER_TAG" -p "$BUILDER_RELEASE_BINARY*" # Test #mv $BUILDER_RELEASE_BINARY builder-binary #mv $BUILDER_RELEASE_BINARY.intoto.jsonl builder-binary.intoto.jsonl @@ -72,13 +73,13 @@ echo "verifier hash verification has passed" # Verify the provenance of the builder. ./"$VERIFIER_RELEASE_BINARY" --branch "main" \ - --tag "$BUILDER_REF" \ + --tag "$BUILDER_TAG" \ --artifact-path "$BUILDER_RELEASE_BINARY" \ --provenance "$BUILDER_RELEASE_BINARY.intoto.jsonl" \ --source "github.com/$BUILDER_REPOSITORY" -#./verifier-binary --branch main --tag "$BUILDER_REF" --artifact-path builder-binary --provenance builder-binary.intoto.jsonl --source "github.com/$BUILDER_REPOSITORY" || exit 5 -BUILDER_COMMIT=$(gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$BUILDER_REF" | jq -r '.object.sha') +#./verifier-binary --branch main --tag "$BUILDER_TAG" --artifact-path builder-binary --provenance builder-binary.intoto.jsonl --source "github.com/$BUILDER_REPOSITORY" || exit 5 +BUILDER_COMMIT=$(gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$BUILDER_TAG" | jq -r '.object.sha') PROVENANCE_COMMIT=$(cat "$BUILDER_RELEASE_BINARY.intoto.jsonl" | jq -r '.payload' | base64 -d | jq -r '.predicate.materials[0].digest.sha1') if [[ "$BUILDER_COMMIT" != "$PROVENANCE_COMMIT" ]]; then echo "Builder commit sha $BUILDER_COMMIT != provenance material $PROVENANCE_COMMIT" @@ -86,4 +87,4 @@ if [[ "$BUILDER_COMMIT" != "$PROVENANCE_COMMIT" ]]; then fi #TODO: verify the command -echo "Builder provenance verified at tag $BUILDER_REF and commit $BUILDER_COMMIT" +echo "Builder provenance verified at tag $BUILDER_TAG and commit $BUILDER_COMMIT" From bf6c8e6b7ae488c5de2bfad0b5fbced8b8561fdf Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 18:45:53 +0000 Subject: [PATCH 09/28] updates --- .github/workflows/scripts/builder-fetch.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh index c4adf167c7..987552febd 100755 --- a/.github/workflows/scripts/builder-fetch.sh +++ b/.github/workflows/scripts/builder-fetch.sh @@ -8,6 +8,9 @@ #VERIFIER_RELEASE_BINARY="slsa-verifier-linux-amd64" #VERIFIER_RELEASE_BINARY_SHA256="89fbcba9aed67d5146ea99946c7e4e5a80e3767871f0e3ffcd0b582134efd010" +# This is necessary for the gh CLI. +export GH_TOKEN="$GITHUB_TOKEN" + PREFIX="refs/tags/" # Extract version. From 62e01c086424ae340a576146cba9d187a8fcbe60 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 18:57:45 +0000 Subject: [PATCH 10/28] updates --- .github/workflows/builder_go_slsa3.yml | 2 ++ .github/workflows/scripts/builder-fetch.sh | 5 +---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 925aa2c232..6ae4fb5222 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -142,6 +142,8 @@ jobs: env: COMPILE_BUILDER: "${{ inputs.compile-builder }}" BUILDER_REF: "${{ needs.detect-env.outputs.builder_ref }}" + # Needed for the gh CLI used in builder-fetch.sh. + GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" run: | set -euo pipefail diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh index 987552febd..c0b7f44bae 100755 --- a/.github/workflows/scripts/builder-fetch.sh +++ b/.github/workflows/scripts/builder-fetch.sh @@ -8,9 +8,6 @@ #VERIFIER_RELEASE_BINARY="slsa-verifier-linux-amd64" #VERIFIER_RELEASE_BINARY_SHA256="89fbcba9aed67d5146ea99946c7e4e5a80e3767871f0e3ffcd0b582134efd010" -# This is necessary for the gh CLI. -export GH_TOKEN="$GITHUB_TOKEN" - PREFIX="refs/tags/" # Extract version. @@ -75,7 +72,7 @@ echo "verifier hash verification has passed" # Verify the provenance of the builder. -./"$VERIFIER_RELEASE_BINARY" --branch "main" \ +./"$VERIFIER_RELEASE_BINARY" --branch "man" \ --tag "$BUILDER_TAG" \ --artifact-path "$BUILDER_RELEASE_BINARY" \ --provenance "$BUILDER_RELEASE_BINARY.intoto.jsonl" \ From dfe1da76e5a84c772ca489881700d16bcdb49a1e Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 19:09:15 +0000 Subject: [PATCH 11/28] updates --- .github/workflows/builder_go_slsa3.yml | 1 + .github/workflows/scripts/builder-fetch.sh | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 6ae4fb5222..1c067ef0d0 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -23,6 +23,7 @@ env: # Builder BUILDER_BINARY: builder BUILDER_RELEASE_BINARY: slsa-builder-go-linux-amd64 + BUILDER_REPOSITORY: laurentsimon/slsa-github-generator # Verifier VERIFIER_REPOSITORY: laurentsimon/slsa-verifier VERIFIER_RELEASE_BINARY: slsa-verify-linux-amd64 diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh index c0b7f44bae..e452b34714 100755 --- a/.github/workflows/scripts/builder-fetch.sh +++ b/.github/workflows/scripts/builder-fetch.sh @@ -50,19 +50,19 @@ fi if [[ "$BUILDER_TAG" != "$(echo -n "$BUILDER_TAG" | grep -P '^v\d*(\.([\d]{1,})){0,2}$')" ]]; then echo "Invalid ref: $BUILDER_TAG" - exit 0 + exit 7 fi echo "Builder version: $BUILDER_TAG" # Fetch the release binary and provenance. -gh release -R "$BUILDER_REPOSITORY" download "$BUILDER_TAG" -p "$BUILDER_RELEASE_BINARY*" +gh release -R "$BUILDER_REPOSITORY" download "$BUILDER_TAG" -p "$BUILDER_RELEASE_BINARY*" | exit 10 # Test #mv $BUILDER_RELEASE_BINARY builder-binary #mv $BUILDER_RELEASE_BINARY.intoto.jsonl builder-binary.intoto.jsonl # Fetch the verifier at the right hash. -gh release -R "$VERIFIER_REPOSITORY" download "$VERIFIER_RELEASE" -p "$VERIFIER_RELEASE_BINARY" +gh release -R "$VERIFIER_REPOSITORY" download "$VERIFIER_RELEASE" -p "$VERIFIER_RELEASE_BINARY" | exit 11 COMPUTED_HASH=$(sha256sum "$VERIFIER_RELEASE_BINARY" | awk '{print $1}') echo "verifier hash computed is $COMPUTED_HASH" echo "$VERIFIER_RELEASE_BINARY_SHA256 $VERIFIER_RELEASE_BINARY" | sha256sum --strict --check --status || exit 4 @@ -72,11 +72,11 @@ echo "verifier hash verification has passed" # Verify the provenance of the builder. -./"$VERIFIER_RELEASE_BINARY" --branch "man" \ +./"$VERIFIER_RELEASE_BINARY" --branch "main" \ --tag "$BUILDER_TAG" \ --artifact-path "$BUILDER_RELEASE_BINARY" \ --provenance "$BUILDER_RELEASE_BINARY.intoto.jsonl" \ - --source "github.com/$BUILDER_REPOSITORY" + --source "github.com/$BUILDER_REPOSITORY" | exit 6 #./verifier-binary --branch main --tag "$BUILDER_TAG" --artifact-path builder-binary --provenance builder-binary.intoto.jsonl --source "github.com/$BUILDER_REPOSITORY" || exit 5 BUILDER_COMMIT=$(gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$BUILDER_TAG" | jq -r '.object.sha') From f4710357b7f82549f4f6f363b95c7183b4fef458 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 19:10:02 +0000 Subject: [PATCH 12/28] updates --- .github/workflows/builder_go_slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 1c067ef0d0..42034b01f8 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -28,7 +28,7 @@ env: VERIFIER_REPOSITORY: laurentsimon/slsa-verifier VERIFIER_RELEASE_BINARY: slsa-verify-linux-amd64 VERIFIER_RELEASE_BINARY_SHA256: 89fbcba9aed67d5146ea99946c7e4e5a80e3767871f0e3ffcd0b582134efd010 - VERIFIER_RELEASE: v13.0.10 + VERIFIER_RELEASE: v0.0.1 # Builder location BUILDER_DIR: builders From f58fa1376a34c499ff1513e822b2f3230a00fb6d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 19:20:02 +0000 Subject: [PATCH 13/28] updates --- .github/workflows/scripts/builder-fetch.sh | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh index e452b34714..f395b3b64d 100755 --- a/.github/workflows/scripts/builder-fetch.sh +++ b/.github/workflows/scripts/builder-fetch.sh @@ -55,11 +55,9 @@ fi echo "Builder version: $BUILDER_TAG" +echo "BUILDER_REPOSITORY: $BUILDER_REPOSITORY" # Fetch the release binary and provenance. gh release -R "$BUILDER_REPOSITORY" download "$BUILDER_TAG" -p "$BUILDER_RELEASE_BINARY*" | exit 10 -# Test -#mv $BUILDER_RELEASE_BINARY builder-binary -#mv $BUILDER_RELEASE_BINARY.intoto.jsonl builder-binary.intoto.jsonl # Fetch the verifier at the right hash. gh release -R "$VERIFIER_REPOSITORY" download "$VERIFIER_RELEASE" -p "$VERIFIER_RELEASE_BINARY" | exit 11 @@ -67,9 +65,6 @@ COMPUTED_HASH=$(sha256sum "$VERIFIER_RELEASE_BINARY" | awk '{print $1}') echo "verifier hash computed is $COMPUTED_HASH" echo "$VERIFIER_RELEASE_BINARY_SHA256 $VERIFIER_RELEASE_BINARY" | sha256sum --strict --check --status || exit 4 echo "verifier hash verification has passed" -# Test -#mv $VERIFIER_RELEASE_BINARY verifier-binary - # Verify the provenance of the builder. ./"$VERIFIER_RELEASE_BINARY" --branch "main" \ @@ -78,7 +73,6 @@ echo "verifier hash verification has passed" --provenance "$BUILDER_RELEASE_BINARY.intoto.jsonl" \ --source "github.com/$BUILDER_REPOSITORY" | exit 6 -#./verifier-binary --branch main --tag "$BUILDER_TAG" --artifact-path builder-binary --provenance builder-binary.intoto.jsonl --source "github.com/$BUILDER_REPOSITORY" || exit 5 BUILDER_COMMIT=$(gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$BUILDER_TAG" | jq -r '.object.sha') PROVENANCE_COMMIT=$(cat "$BUILDER_RELEASE_BINARY.intoto.jsonl" | jq -r '.payload' | base64 -d | jq -r '.predicate.materials[0].digest.sha1') if [[ "$BUILDER_COMMIT" != "$PROVENANCE_COMMIT" ]]; then From 3ceb216bdeb15131b9171347ae29f2f3e1f8023e Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 20:51:16 +0000 Subject: [PATCH 14/28] updates --- .github/workflows/builder_go_slsa3.yml | 4 ++-- .github/workflows/scripts/builder-fetch.sh | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 42034b01f8..1281fe6b5a 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -26,8 +26,8 @@ env: BUILDER_REPOSITORY: laurentsimon/slsa-github-generator # Verifier VERIFIER_REPOSITORY: laurentsimon/slsa-verifier - VERIFIER_RELEASE_BINARY: slsa-verify-linux-amd64 - VERIFIER_RELEASE_BINARY_SHA256: 89fbcba9aed67d5146ea99946c7e4e5a80e3767871f0e3ffcd0b582134efd010 + VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64 + VERIFIER_RELEASE_BINARY_SHA256: deb79c8722e3cee0b9ae305215f5c4ecc40b51af2500de7c912d540c27768b28 VERIFIER_RELEASE: v0.0.1 # Builder location BUILDER_DIR: builders diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh index f395b3b64d..474adc3f84 100755 --- a/.github/workflows/scripts/builder-fetch.sh +++ b/.github/workflows/scripts/builder-fetch.sh @@ -56,6 +56,7 @@ fi echo "Builder version: $BUILDER_TAG" echo "BUILDER_REPOSITORY: $BUILDER_REPOSITORY" + # Fetch the release binary and provenance. gh release -R "$BUILDER_REPOSITORY" download "$BUILDER_TAG" -p "$BUILDER_RELEASE_BINARY*" | exit 10 From 346381b1db651ffa6f0f494af26d7e2335b14d05 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 21:13:19 +0000 Subject: [PATCH 15/28] updates --- .github/workflows/builder_go_slsa3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 1281fe6b5a..6de17ffadc 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -27,8 +27,8 @@ env: # Verifier VERIFIER_REPOSITORY: laurentsimon/slsa-verifier VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64 - VERIFIER_RELEASE_BINARY_SHA256: deb79c8722e3cee0b9ae305215f5c4ecc40b51af2500de7c912d540c27768b28 - VERIFIER_RELEASE: v0.0.1 + VERIFIER_RELEASE_BINARY_SHA256: fb743bc6bb56908d590da66bfe5c266d003aa226b30fcada5f7b9e4aea43b52b + VERIFIER_RELEASE: v0.0.4 # Builder location BUILDER_DIR: builders From 27e88f8e177e921357c9c91908a3d4e7a8e25ed6 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 21:29:10 +0000 Subject: [PATCH 16/28] updates --- .github/workflows/scripts/builder-fetch.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh index 474adc3f84..238ce1e10d 100755 --- a/.github/workflows/scripts/builder-fetch.sh +++ b/.github/workflows/scripts/builder-fetch.sh @@ -68,6 +68,7 @@ echo "$VERIFIER_RELEASE_BINARY_SHA256 $VERIFIER_RELEASE_BINARY" | sha256sum --st echo "verifier hash verification has passed" # Verify the provenance of the builder. +chmod a+x "$VERIFIER_RELEASE_BINARY" ./"$VERIFIER_RELEASE_BINARY" --branch "main" \ --tag "$BUILDER_TAG" \ --artifact-path "$BUILDER_RELEASE_BINARY" \ From 9172dbc3a966dd937ada611f095e8fc5c87d4599 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 21:46:15 +0000 Subject: [PATCH 17/28] updates --- .github/workflows/builder_go_slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 6de17ffadc..6cea50bbc0 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -168,7 +168,7 @@ jobs: .github/workflows/scripts/builder-fetch.sh - mv "$BUILDER_RELEASE_BINARY" ../../"$BUILDER_BINARY" + mv "$BUILDER_RELEASE_BINARY" "$BUILDER_BINARY" fi From 1baa8a75bbda9d99ca70c302f2a077881d809afc Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 22:07:11 +0000 Subject: [PATCH 18/28] updates --- .github/workflows/builder_go_slsa3.yml | 10 +++++----- .github/workflows/scripts/builder-fetch.sh | 3 +++ 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 6cea50bbc0..9a1b7b5074 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -158,10 +158,7 @@ jobs: # https://go.dev/ref/mod#build-commands. go build -mod=vendor -o "$BUILDER_BINARY" - BUILDER_DIGEST=$(sha256sum "$BUILDER_BINARY" | awk '{print $1}') - echo "::set-output name=go-builder-sha256::$BUILDER_DIGEST" - echo "hash of $BUILDER_BINARY is $BUILDER_DIGEST" - + mv "$BUILDER_BINARY" ../../"$BUILDER_BINARY" else echo "Fetching the builder with ref: $BUILDER_REF" @@ -170,7 +167,10 @@ jobs: mv "$BUILDER_RELEASE_BINARY" "$BUILDER_BINARY" fi - + + BUILDER_DIGEST=$(sha256sum "$BUILDER_BINARY" | awk '{print $1}') + echo "::set-output name=go-builder-sha256::$BUILDER_DIGEST" + echo "hash of $BUILDER_BINARY is $BUILDER_DIGEST" - name: Upload the builder uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh index 238ce1e10d..23c6ed9d14 100755 --- a/.github/workflows/scripts/builder-fetch.sh +++ b/.github/workflows/scripts/builder-fetch.sh @@ -1,4 +1,7 @@ #!/usr/bin/env bash + +set -euo pipefail + # Caller sets the following: #BUILDER_REPOSITORY="slsa-framework/slsa-github-generator" #BUILDER_TAG="v13.0.10" or "6a1e642a8689671a2cec9287149eb50bd9fe5ef6" From d5d3b191f91f763f5350a669bbe64964885981cd Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 22:15:23 +0000 Subject: [PATCH 19/28] updates --- .github/workflows/builder_go_slsa3.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 9a1b7b5074..a5095fa1f4 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -158,16 +158,19 @@ jobs: # https://go.dev/ref/mod#build-commands. go build -mod=vendor -o "$BUILDER_BINARY" - + mv "$BUILDER_BINARY" ../../"$BUILDER_BINARY" + + cd - else echo "Fetching the builder with ref: $BUILDER_REF" .github/workflows/scripts/builder-fetch.sh mv "$BUILDER_RELEASE_BINARY" "$BUILDER_BINARY" + fi - + BUILDER_DIGEST=$(sha256sum "$BUILDER_BINARY" | awk '{print $1}') echo "::set-output name=go-builder-sha256::$BUILDER_DIGEST" echo "hash of $BUILDER_BINARY is $BUILDER_DIGEST" From 8e304203e906c470328217f2d8f6856558e74e0f Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 22:49:25 +0000 Subject: [PATCH 20/28] updates --- .github/workflows/scripts/builder-fetch.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh index 23c6ed9d14..e36a9956be 100755 --- a/.github/workflows/scripts/builder-fetch.sh +++ b/.github/workflows/scripts/builder-fetch.sh @@ -61,10 +61,10 @@ echo "Builder version: $BUILDER_TAG" echo "BUILDER_REPOSITORY: $BUILDER_REPOSITORY" # Fetch the release binary and provenance. -gh release -R "$BUILDER_REPOSITORY" download "$BUILDER_TAG" -p "$BUILDER_RELEASE_BINARY*" | exit 10 +gh release -R "$BUILDER_REPOSITORY" download "$BUILDER_TAG" -p "$BUILDER_RELEASE_BINARY*" || exit 10 # Fetch the verifier at the right hash. -gh release -R "$VERIFIER_REPOSITORY" download "$VERIFIER_RELEASE" -p "$VERIFIER_RELEASE_BINARY" | exit 11 +gh release -R "$VERIFIER_REPOSITORY" download "$VERIFIER_RELEASE" -p "$VERIFIER_RELEASE_BINARY" || exit 11 COMPUTED_HASH=$(sha256sum "$VERIFIER_RELEASE_BINARY" | awk '{print $1}') echo "verifier hash computed is $COMPUTED_HASH" echo "$VERIFIER_RELEASE_BINARY_SHA256 $VERIFIER_RELEASE_BINARY" | sha256sum --strict --check --status || exit 4 @@ -76,7 +76,7 @@ chmod a+x "$VERIFIER_RELEASE_BINARY" --tag "$BUILDER_TAG" \ --artifact-path "$BUILDER_RELEASE_BINARY" \ --provenance "$BUILDER_RELEASE_BINARY.intoto.jsonl" \ - --source "github.com/$BUILDER_REPOSITORY" | exit 6 + --source "github.com/$BUILDER_REPOSITORY" || exit 6 BUILDER_COMMIT=$(gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$BUILDER_TAG" | jq -r '.object.sha') PROVENANCE_COMMIT=$(cat "$BUILDER_RELEASE_BINARY.intoto.jsonl" | jq -r '.payload' | base64 -d | jq -r '.predicate.materials[0].digest.sha1') From 3af0f5fa03ec269a712f9b903d6827a5269f4a57 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 23:03:31 +0000 Subject: [PATCH 21/28] updates --- .github/workflows/scripts/builder-fetch.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh index e36a9956be..d9a72ab556 100755 --- a/.github/workflows/scripts/builder-fetch.sh +++ b/.github/workflows/scripts/builder-fetch.sh @@ -32,7 +32,7 @@ if [[ "$BUILDER_TAG" = "$(echo -n "$BUILDER_TAG" | grep -P '^[a-f\d]{40}$')" ]]; while read line; do TAG=$(echo "$line" | cut -f1) BRANCH=$(gh release -R "$BUILDER_REPOSITORY" view "$TAG" --json targetCommitish --jq '.targetCommitish') - if [[ "$BRANCH" != "main" ]]; then + if [[ "$BRANCH" != "feat/fastbuilds" ]]; then continue fi COMMIT=$(gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$TAG" | jq -r '.object.sha') From ebf308c7ae63f9e43ea2707fa6f23bd2bb20a58b Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 23:12:57 +0000 Subject: [PATCH 22/28] updates --- .github/workflows/builder_go_slsa3.yml | 1 + .github/workflows/scripts/builder-fetch.sh | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index a5095fa1f4..73af5b8cbc 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -25,6 +25,7 @@ env: BUILDER_RELEASE_BINARY: slsa-builder-go-linux-amd64 BUILDER_REPOSITORY: laurentsimon/slsa-github-generator # Verifier + #TODO(revert) repo name and hashes VERIFIER_REPOSITORY: laurentsimon/slsa-verifier VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64 VERIFIER_RELEASE_BINARY_SHA256: fb743bc6bb56908d590da66bfe5c266d003aa226b30fcada5f7b9e4aea43b52b diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh index d9a72ab556..38ffef1daa 100755 --- a/.github/workflows/scripts/builder-fetch.sh +++ b/.github/workflows/scripts/builder-fetch.sh @@ -32,6 +32,7 @@ if [[ "$BUILDER_TAG" = "$(echo -n "$BUILDER_TAG" | grep -P '^[a-f\d]{40}$')" ]]; while read line; do TAG=$(echo "$line" | cut -f1) BRANCH=$(gh release -R "$BUILDER_REPOSITORY" view "$TAG" --json targetCommitish --jq '.targetCommitish') + #TODO(revert) main if [[ "$BRANCH" != "feat/fastbuilds" ]]; then continue fi @@ -72,7 +73,8 @@ echo "verifier hash verification has passed" # Verify the provenance of the builder. chmod a+x "$VERIFIER_RELEASE_BINARY" -./"$VERIFIER_RELEASE_BINARY" --branch "main" \ +#TODO(revert) main +./"$VERIFIER_RELEASE_BINARY" --branch "feat/fastbuilds" \ --tag "$BUILDER_TAG" \ --artifact-path "$BUILDER_RELEASE_BINARY" \ --provenance "$BUILDER_RELEASE_BINARY.intoto.jsonl" \ From 321f4510ff4378624b7628612e43de65f6295b83 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 23:41:16 +0000 Subject: [PATCH 23/28] updates --- .github/workflows/builder_go_slsa3.yml | 7 +++---- .github/workflows/scripts/builder-fetch.sh | 6 ++---- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 73af5b8cbc..4590636a5b 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -23,13 +23,12 @@ env: # Builder BUILDER_BINARY: builder BUILDER_RELEASE_BINARY: slsa-builder-go-linux-amd64 - BUILDER_REPOSITORY: laurentsimon/slsa-github-generator + BUILDER_REPOSITORY: slsa-framework/slsa-github-generator # Verifier - #TODO(revert) repo name and hashes - VERIFIER_REPOSITORY: laurentsimon/slsa-verifier + VERIFIER_REPOSITORY: slsa-framework/slsa-verifier VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64 VERIFIER_RELEASE_BINARY_SHA256: fb743bc6bb56908d590da66bfe5c266d003aa226b30fcada5f7b9e4aea43b52b - VERIFIER_RELEASE: v0.0.4 + VERIFIER_RELEASE: v0.0.1 # Builder location BUILDER_DIR: builders diff --git a/.github/workflows/scripts/builder-fetch.sh b/.github/workflows/scripts/builder-fetch.sh index 38ffef1daa..e36a9956be 100755 --- a/.github/workflows/scripts/builder-fetch.sh +++ b/.github/workflows/scripts/builder-fetch.sh @@ -32,8 +32,7 @@ if [[ "$BUILDER_TAG" = "$(echo -n "$BUILDER_TAG" | grep -P '^[a-f\d]{40}$')" ]]; while read line; do TAG=$(echo "$line" | cut -f1) BRANCH=$(gh release -R "$BUILDER_REPOSITORY" view "$TAG" --json targetCommitish --jq '.targetCommitish') - #TODO(revert) main - if [[ "$BRANCH" != "feat/fastbuilds" ]]; then + if [[ "$BRANCH" != "main" ]]; then continue fi COMMIT=$(gh api /repos/"$BUILDER_REPOSITORY"/git/ref/tags/"$TAG" | jq -r '.object.sha') @@ -73,8 +72,7 @@ echo "verifier hash verification has passed" # Verify the provenance of the builder. chmod a+x "$VERIFIER_RELEASE_BINARY" -#TODO(revert) main -./"$VERIFIER_RELEASE_BINARY" --branch "feat/fastbuilds" \ +./"$VERIFIER_RELEASE_BINARY" --branch "main" \ --tag "$BUILDER_TAG" \ --artifact-path "$BUILDER_RELEASE_BINARY" \ --provenance "$BUILDER_RELEASE_BINARY.intoto.jsonl" \ From 2c24f08351b08f8351054abe9ea70982ae1f1e5a Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 23:45:52 +0000 Subject: [PATCH 24/28] updates --- .github/workflows/builder_go_slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 4590636a5b..6f0c119965 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -59,7 +59,7 @@ on: required: false type: string compile-builder: - description: "Build the builder from source. This increases build time by ~2mn." + description: "Build the builder from source. This speeds up build time by ~2mn." required: false type: boolean default: false From d0e360cdf5e58158ab12952620c105a6df1ee3ce Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 23:47:20 +0000 Subject: [PATCH 25/28] updates --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2d57ef6d7e..9bddd4cbac 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: permissions: id-token: write # For signing. contents: write # For asset uploads. - uses: laurentsimon/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@feat/fastbuilds + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@main with: go-version: 1.18 config-file: .github/workflows/configs-go/config-release.yml From 2d8615f1b4eb83fba57e9c4fce5343aa4c6d18fb Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 24 May 2022 23:49:28 +0000 Subject: [PATCH 26/28] updates --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9bddd4cbac..2dc99d45c4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,4 +20,4 @@ jobs: with: go-version: 1.18 config-file: .github/workflows/configs-go/config-release.yml - compile-builder: true \ No newline at end of file + compile-builder: true From 1c24e7d686507dccd86384b5365a204c342d9194 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 25 May 2022 00:05:26 +0000 Subject: [PATCH 27/28] updates --- .github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml index 6c5d046b7e..98d764541f 100644 --- a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml +++ b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml @@ -33,6 +33,7 @@ jobs: go-version: 1.18 config-file: .github/workflows/configs-go/config-ldflags-main-dir.yml evaluated-envs: "VERSION:${{needs.args.outputs.version}},COMMIT:${{needs.args.outputs.commit}},BRANCH:${{needs.args.outputs.branch}}" + compile-builder: true verify: runs-on: ubuntu-latest From f573960043679f706263f3aa5d412b2b751bbcd8 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 25 May 2022 16:47:27 +0000 Subject: [PATCH 28/28] updates --- .github/workflows/builder_go_slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 6f0c119965..4590636a5b 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -59,7 +59,7 @@ on: required: false type: string compile-builder: - description: "Build the builder from source. This speeds up build time by ~2mn." + description: "Build the builder from source. This increases build time by ~2mn." required: false type: boolean default: false